Tokyo, Japan – Researchers from Tokyo Metropolitan University have created a new paradigm for identifying online phishing campaigns. Their new system, PhishLumos, is triggered when links show signs of concealing information, and looks for clues in the “infrastructure” of the website to uncover the whole campaign of which the site is only a tiny part. Real-world testing showed detection which was 8 days faster than an expert, with 190,000 URLs detected over 6 months.
Phishing is a rampant form of cybercrime. Criminals impersonate trusted entities like banks or employers to get victims to share sensitive information, click malicious links, or install harmful software. Less digital savvy people are at particular risk, which not only widens the digital divide but erodes trust in essential digital institutions.
This is why researchers have been looking for ways to shut down phishing campaigns. However, they face severe challenges. For example, most existing approaches involve analyzing individual, suspicious links on the web, or Uniform Resource Locators (URLs). While machine learning and deep learning approaches have helped realize increasingly sophisticated programs that can assess content for veracity, cybercriminals can generally produce far more malicious links in the same time it takes to identify and shut down one site. Malicious content generation is also becoming cleverer; cloaking technologies can help fool scanners, leading to more malicious content making it in front of potential victims.
Now, researchers are looking for a paradigm shift. In recent work, a team led by Associate Professor Daiki Chiba from Tokyo Metropolitan University has adopted a new approach. Rather than trying to label single links as good or bad, they look for signs of cloaking as a starting point for a whole, automated investigation to identify the whole phishing campaign associated with a malicious actor. Their system, PhishLumos, is not evaded by withheld content, but triggered instead. Once activated, it will look for clues in the “infrastructure” of the URL, like which Internet Protocol (IP) numbers are involved, and which network connections are used. These help map out the whole campaign of URLs involved in the same phishing project, not simply as a big list of URLs, but a so-called Knowledge Base (KB) graph which describes how the campaign works.
Looking at 103 real phishing campaigns, PhishLumos was able to achieve detection 8 days faster than experts on average. In real-world tests, given 600 seed URLs as starting points, the rules that it uncovered led to the discovery of over 190,000 new links of which 92% were later flagged as malicious. Importantly, it significantly outperformed so-called “content-centric” approaches which go through website content instead of infrastructure clues.
Online services are already an indispensable part of modern society, so bad actors can cause widespread, irreparable harm to society. Projects like PhishLumos are an essential part of making sure that the benefits of new information technologies reach everyone in a safe and fair way.
IEEE Access
PhishLumos: From a Single URL to Campaign-Level Phishing Mitigation
25-May-2026